Spyware, viruses, & security forum: NEWS - March 22, 2013

SEOUL, South Korea (AP) — South Korean investigators said Friday they had mistakenly identified a Chinese Internet address as the source of a cyberattack that paralyzed tens of thousands of computers at banks and broadcasters earlier this week. But they said they still believe the attack originated from abroad.

The error by South Korean regulators raises questions about their ability to track down the source of an attack that hit 32,000 computers at six companies Wednesday and exposed South Korea's Internet security and vulnerability to hackers.

South Korean investigators said Thursday that a malicious code that spread through the server of one target, Nonghyup Bank, was traced to an Internet Protocol address in China. Even then it was clear that the attack could have originated somewhere else, because such data can easily be manipulated by hackers. Experts suspect North Korea was behind the attack.

The optional feature will require users to verify their identities beyond providing their passwords when: signing in to an Apple ID to manage an account; buying something on iTunes, the App Store, or iBooks; or getting Apple ID-related support from Apple.

"Turning on two-step verification reduces the possibility of someone accessing or making unauthorized changes to your account information at My Apple ID or making purchases using your account," Apple said on its support website.

If you sign up for two-factor authentication, Apple will send a four-digit code to a trusted device capable of receiving such messages (like your iPhone) every time you try to sign in to your iCloud or Apple ID account, which you will have to enter as well as your standard password. [Screenshot]

Researchers at AlienVault shed some light on the evolution of the Sykipot malware attacks.

The Sykipot attacks have exploited a number of zero-days during the past few years, including vulnerabilities affecting Adobe Reader, Adobe Flash Player and Microsoft Internet Explorer.

"In the past most of the campaigns which we found related to the Sykipot actors were based on [spear-phishing] mails with attachments that exploited vulnerabilities in software like Microsoft Office, Adobe Flash, Adobe PDF and sometimes Internet Explorer," blogged Jaime Blasco, director of AlienVault Labs. "During the last 8-10 months we have seen a change and the number of [spear-phishing] campaigns which have included a link instead of an attachment and this has increased. Once the victim clicks in the link the attackers will use vulnerabilities in Internet Explorer, Java, etc to access the system."

The campaigns include one where a malicious site was set up in attempt to phish government employees by masquerading as a webpage about GSA SmartPay charge cards. The page also exploited CVE-2012-1889, a vulnerability affecting Microsoft XML Core Services.

The events of the past week reminded me of a privacy topic I've been meaning to revisit: That voice-over-IP telephony service Skype constantly exposes your Internet address to the entire world, and that there are now numerous free and commercial tools that can be used to link Skype user account names to numeric Internet addresses.

The fact that Skype betrays its users' online location information is hardly news. For example, The Wall Street Journal and other news outlets warned last year about research showing that it was possible to coax Skype into revealing the IP addresses of individual Skype users. But I believe most Skype users still have no clue about this basic privacy weakness.

What's changed is that over the past year, a number of services have emerged to help snoops and ne'er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for "skype resolver" returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target's Skype account name.

Security researcher Rishi Narang has identified a vulnerability that could be exploited by cybercriminals to hijack accounts belonging to Microsoft, Twitter, LinkedIn and Yahoo users. Google and Facebook customers are not impacted by the flaw.

According to the expert, the vulnerability, which can be leveraged to launch session fixation attacks, is caused by an issue with the management of cookies and sessions.

If an attacker can intercept authentication cookies, he can use them to hijack the account because although an expiry date is set, they're still valid even after the customer logs out.

"The cookie/session ID for an authenticated session is available even after the session has been terminated. There are examples where cookies can be accessible to hijack authenticated sessions," Narang explained.

Two message boards used by the Sanny malware as a command-and-control channel have been shut down by the Korea Information Security Agency in conjunction with security company FireEye.

Sanny is a targeted attack, attributed to attackers in Korea, against individuals working in Russia's aerospace, IT, education and telecommunications industries. The malware spread via a rigged Microsoft Word document attached to spear phishing email. The text in the email is written in Cyrillic; the document is a decoy that drops a malicious executable and two .dll files.

The message board hosting the malicious C&C channel is a legitimate board, nboard[.]net. Previous Sanny-based attacks were communicating through pages called ecowas_1 and kbaksan_1.

"Based on the time stamps and other indicators, we believe that both samples were created and deployed at the same time," FireEye said in a blogpost. "The attacker probably used different boards/DBs to divide victims to make sure that if one goes down he/she still can keep getting the stolen data from the remaining ones."

A new piece of custom malware sold on the underground Internet market is being used to siphon payment card data from point-of-sale (POS) systems, according to security researchers from antivirus vendor McAfee.

Dubbed vSkimmer, the Trojan-like malware is designed to infect Windows-based computers that have payment card readers attached to them, McAfee security researcher Chintan Shah said Thursday in a blog post.

The malware was first detected by McAfee's sensor network on Feb. 13 and is currently being advertised on cybercriminal forums as being better than Dexter, a different POS malware program that was discovered back in December.

"Don't lift a finger: Yontoo has been added to OS X's built-in protections."

A day after Russian anti-virus firm Doctor Web highlighted an adware Mac trojan called "Yontoo," Apple has moved to block it. Confirmed by Intego, Apple has updated the definitions included in OS X's Xprotect.plist in order to detect the adware, meaning users don't need to run anything special in order to be protected.

"In testing, it appears this detection is very specific and potentially location-dependent," wrote Intego. "This extra specificity is likely there so as to catch only the surreptitious installations of this file."

As we wrote on Thursday, the Yontoo adware socially engineers users into installing it as a browser plugin. Once it's installed into Safari, Firefox, and Chrome, the plugin injects advertising into the websites you're visiting—including those that don't even normally show ads.

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Track this thread and email me when there are updates.Please read before posting

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Old Thread Warning!

This thread is more than days old. It is very likely that it does not need any further discussion and replying to it will serve no purpose. However, if you feel it is necessary to make a new reply, you can still do so.

I am aware that this thread is old, but I still want to post a reply.

Checkbox must be checked in order to post in this old thread.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.